Holding on to Compliance While Adopting DevSecOps: An SLR

The software industry has witnessed a growing interest in DevSecOps due to the premises of integrating security in the software development lifecycle. However, security compliance cannot be disregarded, given the importance of adherence to regulations, laws, industry standards, and frameworks. This study aims to provide an overview of compliance aspects in the context of DevSecOps and explore how compliance is ensured. Furthermore, this study reveals the trends of compliance according to the extant literature and identifies potential directions for further research in this context. Therefore, we carried out a systematic literature review on the integration of compliance aspects in DevSecOps, which rigorously followed the guidelines proposed by Kitchenham and Charters. We found 934 articles related to the topic by searching five bibliographic databases (163) and Google Scholar (771). Through a rigorous selection process, we selected 15 papers as primary studies. Then, we identified the compliance aspects of DevSecOps and grouped them into three main categories: compliance initiation, compliance management, and compliance technicalities. We observed a low number of studies; therefore, we encourage further efforts into the exploration of compliance aspects, their automated integration, and the development of metrics to evaluate such a process in the context of DevSecOps.publishedVersio

A Systematic Review on Social Robots in Public Spaces: Threat Landscape and Attack Surface

There is a growing interest in using social robots in public spaces for indoor and outdoor applications. The threat landscape is an important research area being investigated and debated by various stakeholders. Objectives: This study aims to identify and synthesize empirical research on the complete threat landscape of social robots in public spaces. Specifically, this paper identifies the potential threat actors, their motives for attacks, vulnerabilities, attack vectors, potential impacts of attacks, possible attack scenarios, and mitigations to these threats. Methods: This systematic literature review follows the guidelines by Kitchenham and Charters. The search was conducted in five digital databases, and 1469 studies were retrieved. This study analyzed 21 studies that satisfied the selection criteria. Results: Main findings reveal four threat categories: cybersecurity, social, physical, and public space. Conclusion: This study completely grasped the complexity of the transdisciplinary problem of social robot security and privacy while accommodating the diversity of stakeholders’ perspectives. Findings give researchers and other stakeholders a comprehensive view by highlighting current developments and new research directions in this field. This study also proposed a taxonomy for threat actors and the threat landscape of social robots in public spaces.publishedVersio

Securing Tactical Service Oriented Architectures

Abstract Research and development across military network technologies is an ongoing task, seeking to satisfy continuously evolving requirements and adversarial models. Beyond distinct implementations or technologies, the aforementioned requirements specify networks that provide, flexibility, agility, and adaptability to the dynamic military operational context. Furthermore, such networks must primarily support uninterrupted access to services and information, for the consolidation and maintenance of an enriched COP (Common Operational Picture), and the provisioning of military capabilities. Nonetheless, military networks do not constitute a unified environment, for which generic technologies can be developed and deployed, while a clear distinction exists between the strategic, operational and tactical levels. The strategic/ operational levels rely on permanent or semi-permanent infrastructure that supports components such as headquarters, mission control centres, and logistics coordination centres. Contrary to that, the tactical level incorporates provisional assets deployed for the attainment of specific operational objectives, within singular or interlaced mission scenarios. Therefore, tactical networks are of constrained nature in terms related to infrastructure, operational capabilities, and resource availability. Accordingly, deploying and securing tactical C2 (Command and Control) and C4I (Command, Control, Communications, Computers, and Intelligence) systems, must accommodate such requirements and constraints. Furthermore, the increased integration of information systems towards the attainment of NEC (Network Enabled Capability), promoted the use of SOA (Service Oriented Architectures) across all levels. To address the security challenges, imposed by tactical SOA, the scope of this thesis is tripartite. Initially, the corresponding requirements have been extracted, referring both to the protection of information and services, but also to functional requirements for the developed policy and service architectures. Protecting tactical SOA requires the accommodation of security requirements, for stored, transmitted and processed information, under the explicit constraints of the tactical environment, maintaining operability within the various tactical modes of operation. Furthermore, the constraints of tactical networks impose significant limitations to the realization of suitable SOA based solutions. Overcoming these limitations, while maintaining the enforcement of security controls for the protection of services, as the means to process. information, is a critical task that we investigated. Finally the functional requirements for the implementation of a security policy mechanism tailored to tactical SOA, have been extracted and analysed. The aforementioned constraints within the highly dynamic tactical environment, impose significant limitations to the functionalities and efficiency of current security policy frameworks. Thus, a security policy framework dedicated to tactical SOA is presented, as it has been developed in alignment to the previously identified requirements. Consequently, due to the constrained nature of tactical nodes, the parameters governing the partitioning and distribution of security policies are investigated within our work. Elements of critical impact have been identified and analysed, while a suitable partitioning mechanism has been defined. Furthermore, possible divergences across the distributed policies have been classified, and mechanisms for policy reconciliation have been developed. The nature of occurring divergences has been limited to an expected and permitted subset, while taking under consideration the constraints of the tactical environment and the requirement for auditing, prioritization and roll back capabilities. The last component of our research relates to the development of a core security service architecture, tailored to the requirements of tactical SOA. This refers to a subset of services that are dedicated to the attainment of the identified security controls, according to security policies established at the mission preparation stage. Furthermore, additional aspects such as the interoperability of the security architecture and the QoS (Quality of Service) decision subsystem have been examined

Cyber Security Training for Critical Infrastructure Protection: a Literature Review

Introduction: Today, cyber-security curricula are available across educational types and levels, including a vast array of programs and modules tailored to specific sectors of industry and audiences, to allow more targeted delivery of knowledge. Nonetheless, general agreement on best measures and methods for cybersecurity training has yet to be reached. Objective: In this study, we seek to establish the current state-of-the-art in cyber-security training offerings for critical infrastructure protection and the key performance indicators (KPIs) that allow evaluating their effectiveness. Particular focus is given in this study on the aviation, energy and nuclear sectors. Methodology: Accordingly, the article presents the findings of a systematic literature review that collected relevant literature produced after 2000. The identified sources have been examined according to a formal data extraction form, allowing the analysis of relevant training solutions, methodologies, target groups and focus areas. Results: The results show that solutions that provide hands-on experience, team skills development, high level of real-life fidelity are often preferred to other options, with simulation-based solutions showing the highest amount of research and development. Nonetheless, researchers have not reached agreements on optimal training delivery methods and design of cybersecurity exercises. Conclusion: Consequently, research on improving current cybersecurity training offerings should be conducted, to demonstrate whether integrating advantageous attributes from different delivery methods could produce more comprehensive and effective solutions

Security, Privacy, and Trustworthiness of Sensor Networks and Internet of Things

This editorial gives an overview of the papers included in the Special Issue on “Security, Privacy, and Trustworthiness of Sensor Networks and Internet of Things” of Sensors. The context of the special issue theme is first briefly described. This is then followed by an outline of each paper that provides information on the problem addressed; the proposed solution/approach; and, where relevant, the results of the evaluation of the proposed solution

A Security Policy Infrastructure for Tactical Service Oriented Architectures

Tactical networks are affected by multiple constraints related to the limited node characteristics and the availability of resources. These constraints within the highly dynamic tactical environment, impose significant limitations to the functionalities and efficiency of current generic security policy frameworks. Earlier studies have provided a risk analysis of tactical service oriented architectures (SOA), and a set of fine-grained protection goals in correspondence to the aforementioned constraints. Furthermore, web ontology language has been identified as a suitable mediator towards the requirements and opportunities imposed by tactical SOA. Thus, in this article we present a security policy framework dedicated to tactical networks, as it has been developed within the project TACTICS

Key Competencies for Critical Infrastructure Cyber-Security: a Systematic Literature Review

Purpose The purpose of this paper can be encapsulated in the following points: identify the research papers published on the topic: competencies and skills necessary for critical infrastructure (CI) cyber-security (CS) protection; determine main focus areas within the identified literature and evaluate the dependency or lack thereof between them: make recommendations for future research. Design/methodology/approach This study is based on a systematic literature review conducted to identify scientific papers discussing and evaluating competencies, skills and essential attributes needed by the CI workforce for CS and preparedness to attacks and incidents. Findings After a comparative analysis of the articles reviewed in this study, a variety of skills and competencies was found to be necessary for CS assurance in CIs. These skills have been grouped into four categories, namely, technical, managerial, implementation and soft skills. Nonetheless, there is still a lack of agreement on which skills are the most critical and further research should be conducted on the relation between specific soft skills and CS assurance. Research limitations/implications Investigation of which skills are required by industry for specific CS roles, by conducting interviews and sending questionnaire\surveys, would allow consolidating whether literature and industry requirements are equivalent. Practical implications Findings from this literature review suggest that more effort should be taken to conciliate current CS curricula in academia with the skills and competencies required for CS roles in the industry. Originality/value This study provides a previously lacking current mapping and review of literature discussing skills and competencies evidenced as critical for CS assurance for CI. The findings of this research are useful for the development of comprehensive solutions for CS awareness and training

Modeling Effective Cybersecurity Training Frameworks: a Delphi Method-based Study

Today, cybersecurity training is commonplace in both large companies and Small & Medium Enterprise (SME). Nonetheless, the effectiveness of many of the current training offerings is put into question by reports of increasing successful cyber-attacks. While a number of models for developing Cybersecurity (CS) training frameworks for industrial personnel or general audience have been proposed, these models often lack consideration for humans aspects of learning (cognitive abilities, learning styles, meta-cognition among others) during development. Additionally, the success of a CS training program highly depends on its ability to engage participants. To develop a CS training framework that is able to motivate participants, we must consider individual-specific factors that can affect the result of training, besides establishing optimal training delivery methods and assessment. For this, in this work we propose a CS training framework based on a revised version of the ADDIE model and more recent research personalised learning theory. The Delphi method was used to both develop and validate our decisions during the development of the training framework model. The results of the decision of the Delphi method have later been compared to recommendations in the literature to create the finalised framework. This work presents two major distinctions from other CS training frameworks models described in the literature. First, the developed model is strongly based in learning theory foundations and takes into consideration differences in learning styles, cognitive abilities and metacognition of individuals, to offer tailored solutions optimized for each group of employees and single individual. Second, the use of the Delphi method and the involvement of experts stakeholders from various sides of academia and industry gave a wide insight into current needs and recommendations for CS training, as well as formal validation for the final development

Cybersecurity and Safety Co-Engineering of Cyberphysical Systems—A Comprehensive Survey

Safeguarding both safety and cybersecurity is paramount to the smooth and trustworthy operation of contemporary cyber physical systems, many of which support critical functions and services. As safety and security have been known to be interdependent, they need to be jointly considered in such systems. As a result, various approaches have been proposed to address safety and cybersecurity co-engineering in cyber physical systems. This paper provides a comprehensive survey of safety and cybersecurity co-engineering methods, and discusses relevant open issues and research challenges. Despite the extent of the existing literature, several aspects of the subject still remain to be fully addressed